There are currently 0 users and 60 guests online.
General procedures of ICT crime investigation
Crime Investigation is a scientific exercise that follows scientific procedures; each procedure is meticulously adhered to so that failure to follow the procedure could make the difference between solving the crime and not solving the crime. The procedure is what is called ‘General Procedure of Crime Investigation’ in the title above and it is chronologically listed below:-
The investigator should plan his work to enable him to conduct his investigations in an efficient and timely manner. The plan should be based on knowledge of the nature of the case one is investigating. It should be made amongst other things to cover:
Planning should be continuous process throughout the engagement. The Investigation plan should be written with time and event schedules where possible. At the soonest possible point, the investigator needs to identify the resources required to carry out the investigation. Any restrictions on the investigation need also to be written down; inability to obtain sufficient evidence for any reason e.g. lack of resources or lack of sufficient time.
The study of the victims: An examination on every facet of their lifestyle, background, health, economic status and physical characteristics. It is hoped that through an in-depth examination of the victim, we may know the perpetrator a little better. Victimology is important in the overall investigative process because it not only tells us of whom the victims were their health, personal history, social habits (hobbies) and personality, but also provides ideas as to why they were chosen as victims. In many situations the offender will hold back from choosing a victim until one that meets his needs comes along, possibly leading to a successful arrest. In our case the victim considered is the victim of ICT-Crimes. Specific questions asked therefore include;
Victimology is as has been said above is concerned with objectification of social, and psychology, of (in our case) individuals/organisations who have become victims of ICT-Crimes.
Crime Classification will guide the investigator to know the kind of criminals he is dealing with so that he can acquire the necessary resources to handle the investigation appropriately. At this stage he is expected to answer questions such as:
FORENSIC PROCEDURES & FORENSIC FINDINGS
Gathering of appropriate evidence for criminal prosecution is the Science of ‘ICT Criminalistics’, ‘Cyber-forensics’, ‘forensic-computing’, or ‘digital forensics’; and can be quite complex an issue. This is because of the transient and intangible data that one often deals with, more so in a network environment. Networks often pose a problem of identity for example that of connecting a virtual person to a real life person. Moreover, the stickiness of data poses an integrity problem. This is to say that some times data that is not necessarily yours in origin, or even data that may not be in your know can be found in your possession. Moreover, this data can be easily interfered with or modified and therefore poses a major investigative challenge. In this stage of the investigation, the investigator has processed the crime scene and identified the evidence left behind that may link the perpetrator to the crime scene and particularly the crime itself. Sometimes the findings may inform the investigators of how exactly the crime was perpetrated. This evidence is collected, collated and stored for the purpose of presentation before a court of law.
Unlike other criminal activities, the focus of the investigator is not necessarily trace evidence but rather data. This is not to say that trace evidence does not have a place in ICT-Crime investigation but rather that it is not the main evidence sought. It is important for the investigator to be able to reconstruct the crime from the moment of conceptualisation to the completion of the crime. To do this the investigator must develop an accurate story from the forensic findings and fill up the gaps with what we have called above investigative consideration. Below we discuss procedures if adhered to will ensure the best chance of evidence being recovered in uncontaminated manner and therefore acceptable before the court of law.
A Single-Evidence evidence Form helps the investigator in recording the forensic findings systematically. It dedicates a page for each item retrieved for a case. It allows the investigator to record what was done to the evidence each time it was taken from the storage locker. It is also necessary to keep a Multi-Evidence is basically a form that summarises the details of all the single-Evidence form related to the said case.
Unlike other crimes, ICT-Crimes offer the following specific challenges:
The procedure for digital forensics involves a number of stages: (i). Identifying what data may be available and where it may be found. (ii). Preserving such data in a way that minimizes interference. (iii). Collating such data for intelligence and evidential purpose. (iv). presentation of the data in a court of Law. The following key issues should be considered as standard forensic procedures, when processing a computer crime scene and including investigative considerations to be followed up on:
Investigator must obtain authorisation from authorities such as those who have commissioned the investigation in case of a private case and a magistrate in case it is a case of public interest.
Note that you will need a search warrant before you can be allowed to process suspect’s computer at home or any other place. This is an important issue, because without authorisation, evidence gathered may not be accepted in trial as legitimately collected. The rule of law of evidence states that evidence collected illegally is not acceptable in the courts of law. (more about Search Warrant is discussed ahead).
Always record all your activities at home or any other place. anything which may related to case should fully recode, for instance, Location, Time, Date, Serial Number, etc.
The stolen data must be found in the suspects’ computer.
Process all storage equipments such as the PC’s hard drive and diskettes using hard line analysers to restore deleted information. Soft ware examples include; easy restore utilities, acronis recovery expert, PC Inspector and easy recovery professional at the forensic laboratory.
All collected evidence must be analyse to extract the evidence to answer, “who, when, why and how” questions. The main challenge in this process is to check and run, unknown programs, unknown files, to find out what is the result. NB. Empty recycle bin is no longer a safe option to discard information because it is now possible to retrieve a document that has been overwritten up to seven times.
Investigators need to be aware of all the probable causes of the crime that is fraudulent intent, negligence, abuse of power, sabotage, and terror etcetra. It is necessary to discover the IP-address of the originator of the criminal action. IP-address is a unique number which identifies the relevant resource i.e. Pc, Mobile phone e.t.c. The address is then linked logically to the originators domain name, e.g. email@example.com. Whereas the IP-address is unique, the persons using it usually vary e.g. in a cyber-café. Sometimes a suspect has been identified positively, but there is insufficient evidence to sustain a conviction. In such cases, surveillance must be undertaken especially to monitor suspect’s activities in and around ICT-systems. Video recording his activities as well as recording his computer time using the necessary software shall be required.
What risk did the offender take in perpetrating the crime?
Get the history of whom the suspect has been communicating to on phone i.e. Sms and actual calls; from the relevant CSP.
SEARCH WARRANT CONSIDERATION
Once a suspect or suspects have been identified, investigators would need a search warrant to further build there case against a suspect. There are many storage devices that may be encountered during the search and may be valuable sources of evidence if handled in an acceptable manner so as not to compromise evidence acceptabity. It is important to remember that an investigation must satisfy the legal standards i.e. proving the accused guilty beyond a reasonable doubt. For this reason the stolen data as well as the stealing material must be found in the possession of the suspect. Hence some of the places the investigator must find a search warrant for include the following;
Suspects office, house or both. Focus will be to find information on the victim if any, or information that could show design or the suspects plans, this will help in proving intention and motive.
The crime scene is the whole house; storing devices such as diskettes should be collected and processed. It should be remembered that the litter bin could actually contain the material that is being sought for.
Consider the PC if any as another crime scene.
Any information found in the possession of the suspect goes to link the suspect to the crime.
Reporting and Presentation after Analysis at the Computer Forensic Laboratory
Reporting and Presentation is the conclusions and corresponding evidence from the investigation needs to convince an authority. The following document must be presented to an authority:
Document the entire seize the evidence and chain of custody, document all the gathered evidence, document what was examined and what was the result.
Submitted by Kelmen on 4 November 2009 - 10:07am. categories [ ]